[ubuntu-hardened] Chicken or egg: Ubuntu Startup Disk Creator
Jason Franklin
jrf at elitemail.org
Sat Dec 8 12:45:10 UTC 2018
Greetings,
This is a thought I had today. I'd like some help working through it from some security mavens.
Let's say I'm about to re-install Ubuntu on my ThinkPad. I have my ISO, and I validate it in the usual manner with the proper GPG key and checksums. I can be fairly confident that the ISO is valid at this point.
I then create the bootable USB drive with any of a number of tools. My question is: How can I know that this last step was not subverted in some way? Once the ISO is written to the USB, does it need to be validated again? What if the tools to write the ISO were modified to write a modified ISO? I have no real evidence that my system was compromised (no pop-up windows or weird emails coming from my machine, performance problems, etc.), but I suppose it could be.
If my account was compromised, I would assume that whatever malware is running could monitor my keystrokes in my GNOME session and observe me enter the "sudo" password probably multiple times.
Just some thoughts I had today. How can I possibly have an "ultimately trusted" install disk?
Thanks in advance,
Jason Franklin
More information about the ubuntu-hardened
mailing list